Georgia Institute of Technology Researchers Bridge the Airgap 86
An anonymous reader writes Hacked has a piece about Georgia Institute of Technology researchers keylogging from a distance using the electromagnetic radiation of CPUs. They can reportedly do this from up to 6 meters away. In this video, using two Ubuntu laptops, they demonstrate that keystrokes are easily interpreted with the software they have developed. In their white paper they talk about the need for more research in this area so that hardware and software manufacturers will be able to develop more secure devices. For now, Faraday cages don't seem as crazy as they used to, or do they?
Add noise (Score:5, Interesting)
I was working at a defense contractor in the '80's when the whole "Tempest" program started.
Rather than shield equipment, we simply added a small amount of broadband noise.
The problem isn't to limit emission: The problem is to frustrate detection.
Re:Add noise (Score:5, Interesting)
Really it's amazing how easy it is for people to forget things like Van Eck phreaking http://en.wikipedia.org/wiki/V... [wikipedia.org] have been around for going on three decades now
Re: (Score:1)
No, I don't thing people are forgetting things have been going on for three decades...
Re: (Score:1)
I think the main problem is that many people on here aren't old enough to remember those things in the first place. TEMPEST was big in the 80s and early 90s, but outside of military and electronic payment circles, people haven't been too concerned about it in the last 15 years. So it could possibly be new to a lot of the under-30 crowd.
Re: (Score:2, Informative)
Yep. Ditto. I still recall one young smartass demonstrating to our boss that he could display what was on the Boss's computer monitor from about 30 feet away with an antenna and a circuit he built with a breadboard.
A faraday cage IS the only way to protect against this with 100% reliability.
Re: Add noise (Score:1)
Wrong: the cage only prevents the emf, none in or out. But the person in the cage needs information, therefore you break the cage by allowing filtered information access. Even that is "editable/recordable". More garbage.
Re: (Score:2)
What if there were five cages?
1) computer box
2) keyboard
3) screen
4) kbd cable from computer to keyboard
5) shielded cable from computer to screen
Won't this prevent cpu/screen/keyboard signals from being intercepted?
Re: Add noise (Score:4, Interesting)
Properly shielded equipment uses different methods to 'break the cage'. It's been many decades, but some of the heavily shielded designs I did in the 80's involved opto-isolators. Yes, that's right. Want to avoid radiating information ? Use light.
Keep in mind that the structure of the faraday cage depends on the frequency of the data being transmitted. It does not have to be unbreakable tin foil. Properly sized metal mesh will also do the job. Just ask anyone who tries to get a Wifi signal through an old wall with expanded metal lath and plaster.
Re: (Score:2)
Properly shielded equipment uses different methods to 'break the cage'. It's been many decades, but some of the heavily shielded designs I did in the 80's involved opto-isolators. Yes, that's right. Want to avoid radiating information ? Use light.
this used to make sense to me, but now that I understand that light is just part of the EM spectrum, I find myself confused.
Re: (Score:2)
No, it does not even do that. It only weakens the signal.
Re: (Score:3)
Or, if you're in a spy movie, you could have an array of jamming antennas that leave a quieter zone corresponding to a weakness in your Faraday cage, and right there you broadcast a signal you generate that interprets back to the random browsing of this fellow from India whom you pay to have spyware recording and sending you his online activities.
Re: (Score:2)
Re: (Score:3)
In actual use faraday cages can be readily subverted by incoming power lines. For a building wide faraday cage to be secure power lines must be conditioned to prevent data interception via subverted hardware within the faraday cage, otherwise that unsecured wire leads right from the supposedly secure hardware to a power station many kilometres away and connected to every other device hooked up to the same power source. Other things must also be looked at like water pipes, tapping into the earth circuit or
Re: (Score:2)
It is not. A Faraday cage is great for shielding a static E field (for this, it is perfect if made form a perfect conductor or you wait infinitely long), but it does exactly nothing for shielding the B part. Hence a Faraday cage _weakens_ electromagnetic radiation, but it does not block it completely. What you need is proper EM-shielding, which can be accomplished with any conducting material, but effect is dependent on thickness.
It is fascinating though that you think a Faraday cage would give you 100% rel
Re: (Score:2)
There is no reason to believe me, but maybe have a look into a physics book sometime? This is science, not religion.
Re:Add noise (Score:4, Interesting)
Does the broadband noise still drown out the desired signal sufficiently to prevent reconstruction, or does our increased emphasis on high-speed digital busses (often designed to operate with some amount of error correction in the event of cheap lousy hardware being cheap and lousy) make it more tractable to either unambiguously pick the correct interpretation of a noisy input, or make a number of guesses and use known features of the bus to help eliminate the incorrect ones?
Re:Add noise (Score:5, Informative)
Well, it has lost a lot of effectiveness because we switched from CRTs to LCDs - a CRT has very distinct emission patterns because it has to drive the electron beam around. So you can detect when the syncs happen because they're driven by huge magnetic field coils on the side of the CRT in a standard frequency and pattern (vsync happens at the Hz level, hsync at the kHz level), and the amplifiers that drive the electron guns emit a lot of RF as they operate.
These days the emissions are far lower because we're not having to accelerate an electron beam, so the amplitudes are lower. Sure you can sniff the signal cabling but unless you're using analog cabling, most external signalling use a form of encoding that's designed to minimize RF emissions. Not because of Van Eck, but because they want to spread the peaks of emissions across a broadband range which makes it easier to pass RF emissions tests (e.g., FCC emissions tests).
So using a DVI or HDMI cable causes the signal to smear (TMDS - transition minimized differential signalling - transitions cause the big spikes in RF emissions, so if you can minimize them, you can increase rise/fall times which lowers RF emissions, spreading and smearing the signal across a wider frequency band and trying to hide it in the noise).
Of course, most digital busses don't do this (they assume the entire system will be RF shielded), same as CPUs so with the right receiver, those signals show up pretty clearly, especially if you can compromise the RF shielding.
Re: (Score:2)
From the history books:
Declassified NSA Document Reveals the Secret History of TEMPEST [wired.com]
Re: (Score:1)
Re: (Score:1)
Yeah, I know that one. It's like singing in the bathroom so nobody hears you farting.
Fortunately/unfortunately (depending on your POV) it's getting easier to detect the signal inside the noise.
Old news (Score:5, Insightful)
Missing from the summary: THEY HAVE SOFTWARE INSTALLED ON THE VICTIM LAPTOP that modules the CPU usage.
You don't need any fancy equipment, any AM radio will do.
Re: (Score:3)
Unfortunately only works on CRTs; but it's a heartwarmingly neat trick.
Re: (Score:2)
Very, very old news.
We did this circa 1971 in High School, Cass Technical High School, Detroit, Michigan [wikipedia.org] placing an AM radio on the console of an IBM 1620 [wikipedia.org].
There was a program you could load that would play a tune. But we would also just leave the radio there during normal use. We swore we could tell when the Fortran compiler was processing a FORMAT statement:
(The last bit is the FORMAT statement
Re: (Score:3)
Missing from the summary: THEY HAVE SOFTWARE INSTALLED ON THE VICTIM LAPTOP that modules the CPU usage.
You don't need any fancy equipment, any AM radio will do.
Given how successful Stuxnet was at infecting across the airgap (by way of poor USB policies) it is rather plausible that you could rely on a trojan horse (in the most literal sense of the term) to get inside and start broadcasting sensitive information out, be they keystrokes or fragments of files or whatever.
Re: (Score:2)
Yes and you could call those trojan horses "keyloggers".
Some rather enterprising (yes its a pun) security experts use a "read-only" usb ports policy as a way to have a quasi-airgapped system, where you can still bring in software updates on a usb flash drive but can't exfiltrate any data via the same. This would totally side-step that measure, making it novel in some situations.
Re: (Score:2)
Missing from the summary: THEY HAVE SOFTWARE INSTALLED ON THE VICTIM LAPTOP that modules the CPU usage.
You don't need any fancy equipment, any AM radio will do.
That reminds me of the Altair 8800 [wikipedia.org] and what some call the machines first program that actually "did something", which ran various lengths of different timing loops in the CPU which had the effect of playing Fool on the Hill as RF interference on an AM radio placed near by.
https://www.youtube.com/watch?... [youtube.com]
define crazy. (Score:1)
security measures are security measures, whether the threat is real or perceived is irrelevant.
Re: (Score:2)
It's a risk/cost analysis.
Tempest protected equipment is readily available from any number of suppliers. If you want to spend the price of a car for a shitty mid-range desktop that'll probably protect you from this kind of attack, the option is there and has been for some time.
Re:define crazy. (Score:5, Insightful)
There's always something you could be doing more securely; but only sometimes is it worth it.
computer security (Score:1)
Slow news day (Score:2)
Faraday cages around what?
If you can get that near to a keyboard, you'd just use an electronic device recording the reflection of photons off the keyboard.
It's called a camera.
Re: (Score:2)
Last I checked, cameras don't work from the adjacent office. Or floor above or below. Or any other place that would block optical spying but not from picking up EM radiation.
you like my new necklace? (Score:3)
Somehow I don't think a secure location is going to be too worried about this type of attack unless someone can show it working with an extremely small receiver which is also able to log the data for later use. Also note that even at the slow rate she was typing it still missed characters.
So while academically interesting, this seems to be something of very limited concern. Of course, if you see an antenna like that in the coffeeshop you might want to leave.
Re: (Score:2)
reminds me of this guy that's been bringing his whole desktop PC to caribou coffee every day for 3 years
Faraday cage? (Score:2)
Seems like there are some really easy ways to prevent some sort of EM signature from leaking.
Re: (Score:2)
people throw around the term "Faraday cage" without understanding. Real world faraday cages *attenuate*, they do not completely block signals.
Re: (Score:2)
If sufficiently attenuated then whether it is totally eliminated or not becomes irrelevant.
What is more, if specific frequencies are specifically interfered with then snooping on the radiation becomes pointless.
The two things people are saying works is kicking out some interference and/or blocking the signals. But really in either case you only need to infer with it to a point. Once it is garbled or attenuated enough that it cannot practically be detected/decoded then who cares. Listen to the white noise at
Re: (Score:2)
Faraday cages are nice until you need to stick a wire through them to plug into the wall. Enjoy your battery life (and/or jiggawatt laser outside pointed through the mesh at a solar panel inside)
Re: (Score:2)
There's no reason it shouldn't work with a power cable going into it. I don't know what you're talking about.
If the cage is grounded and has only very small holes in it then it shouldn't matter.
Correct me if I am wrong. This is my understanding of the principle.
Re: (Score:2)
As I understand it, the cable would become an antenna for whatever's going on in the cage.
Re: (Score:2)
from wikipedia:
""Examples
A microwave oven utilises a Faraday cage, which can be partly seen covering the transparent window, to contain the electromagnetic energy within the oven and to shield the exterior from radiation.
Elevators and other rooms with metallic conducting frames simulate a Faraday cage effect, leading to a loss of signal and "dead zones" for users of cellular phones, radios, and other electronic devices that require external electroma
Faraday's cages are not crazy. (Score:2)
BTW FCC radiation limits prevent CPU from emitting too much radiation.
Re: (Score:2)
I'm going to have to assume that the computers logged were using FCC-compliant CPUs, seeing as nothing was said about using special noisy CPUs.
For keyloggers, obviously shielded keyboard electronics and cables helps. Once it gets into the CPU, a lot of other noisy things are also happening. Although strewing a couple of modules around the site that do nothing much more than emit random character codes in the same RF format would be worth considering.
Oh, it was never "crazy"... (Score:2)
As others have already noted, this is an old, old tactic. I'm a bit surprised that you can correlate enough of the broadband scream produced by a modern laptop to tease out keystrokes reliably, but not that suprised.
It's only "crazy" if you're spending disproportionate time, effort and money to conceal your boring, inconsequential data. And in these days of big-data sieves and ubiquitous surveillance, "boring" and "inconsequential" aren't what they used to be.
Re: (Score:3)
I would guess it would be cheaper in most cases for an attacker to black-bag the hardware (evil maid attack), or just use xkcd.com/538 and a wrench.
TEMPEST attacks are very low on my worry list. If I were running an organization that dealt with that sensitive a data, it would be well tucked away in a building designed from the ground up to keep cameras and detectors quite a ways from the juicy stuff. However, before I even bothered with that, I'd be working on physical security, network security, various
Old news and still needs pwned access (Score:3, Interesting)
Firstly this is old news,
Secondly almost the first thing said in the video is that they had to install a driver on the target to force it to emit signals they could pull out of the noise. So its a nice idea that if you have access to put software on the PC you can later get it to emit information, but it you are going to do that then why not use what else is there because how often is all the targets other wireless interfaces fully disabled. I suspect unless your name is Snowden, not very often. Further, if you are that worried about leaking information that you go fully air gapped you would not be trusting a malleable OS to run from, much better to run from a live CD.
Re: (Score:2)
Secondly almost the first thing said in the video is that they had to install a driver on the target to force it to emit signals they could pull out of the noise.
At that point it's no longer 'bridging the air-gap' (which typically means exploiting across the air gap), it's communicating between two friendly entities through the air.
Which we've been doing for literally hundreds of millions of years.
Tempest shielding (Score:1)
TEMPEST (Score:2)
How about spread spectrum clocking? (Score:2)
There used to be an option in BIOS'es (may still be there, don't know) to enable spread spectrum clocking. This basically caused the system to slightly vary (spread out) various clocking signals in order to lower emissions at a particular frequency in order to pass FCC inspections.
This thing requires malware to be installed anyway, at that point it's trivial to do anything. You could send things through any port which many computers have webcam lights, backlights and status indicators that can be controlled
1989 Okinawa and Russian "Fishing" boats (Score:2)
Geez, 30 years ago we were given a demonstration of snooping on non-Tempest equipment, with a van parked outside of our offices, showing keystrokes and fuzzy images of our monitors.
When I went to work at the RASC at Camp Kinser, just north of Naha (The mainframes were all housed in a building on the south side of the base, closest to the piers), there was always one or two Soviet "Fishing" vessels docked, with all sorts of crazy antennas (directional ones pointed at Camp Kinser), satellite dishes and such.
T
Nothing new really (Score:1)